Add option to enforce 2FA on a service

server/authserver.go

@@ -161,6 +161,7 @@ type BackendSpec struct {
 type ServiceConfig struct {
 	BackendSpecs      []*BackendSpec `yaml:"backends"`
 	ChallengeResponse bool           `yaml:"challenge_response"`
+	Enforce2FA        bool           `yaml:"enforce_2fa"`
 
 	Ratelimits []string `yaml:"rate_limits"`
 
@@ -379,7 +380,7 @@ func (s *Server) authenticateUser(req *auth.Request, serviceConfig *ServiceConfi
 	// has 2FA enabled or not, and on whether the service itself
 	// supports challenge-response authentication.
 	var resp *auth.Response
-	if user.Has2FA() {
+	if serviceConfig.Enforce2FA || user.Has2FA() {
 		if serviceConfig.ChallengeResponse {
 			resp = s.authenticateUserWith2FA(user, req)
 		} else {